--- title: "EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates" canonical_url: "https://www.sorena.io/artifacts/eu/data-act/faq" source_url: "https://www.sorena.io/artifacts/eu/data-act/faq/items/page/6" author: "Sorena AI" description: "Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates." published_at: "2026-05-06" updated_at: "2026-05-25" keywords: - "EU Data Act FAQ" - "Data Act scope" - "connected product data" - "B2G data sharing" - "cloud switching" - "GDPR Data Act" - "EU Data Act" - "Data Act FAQ" - "Regulation (EU) 2023/2854" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU Data Act FAQ: scope, access rights, B2G, cloud switching, GDPR, and dates Grounded EU Data Act FAQ index covering connected-product data access, third-party sharing, B2G exceptional need, cloud switching, smart contracts, GDPR boundaries, unfair terms, trade secrets, and application dates. *FAQ* *EU* *Data Act* ## EU Data Act FAQ hub Answers to the recurring EU Data Act questions that decide whether connected-product data, related-service data, B2G requests, cloud contracts, or smart-contract tooling need a compliance review. Use this index to orient product, legal, cloud, procurement, data protection, security, and public-sector request teams before opening the deeper topic modules. The EU Data Act, Regulation (EU) 2023/2854, creates horizontal rules for fair access to and use of data. Its FAQ set is not only about IoT data portability: it also covers mandatory B2B sharing terms, unfair contractual terms, public-sector access in exceptional need, cloud and edge switching, safeguards against unlawful third-country government access to non-personal data, interoperability, smart contracts, enforcement, and the boundary with GDPR. ## Browse sub-FAQ modules ### [Data Act and Data Governance Act Overlap FAQ](/artifacts/eu/data-act/faq/data-governance-act-overlap.md) FAQ explaining where the EU Data Act and Data Governance Act overlap, how they differ, and how to route product, cloud, public-sector reuse, intermediary, and data altruism workflows. - 12 items ### [Data Act and GDPR Personal Data Overlap FAQ](/artifacts/eu/data-act/faq/gdpr-personal-data-overlap.md) FAQ on how the EU Data Act works when connected-product or related-service data includes personal data, mixed datasets, GDPR roles, lawful basis, trade secrets, and third-party sharing. - 12 items ### [Data Act Audit Evidence And Request Logs FAQ](/artifacts/eu/data-act/faq/audit-evidence-and-request-logs.md) FAQ for Data Act request logs covering user and third-party access, B2G exceptional need requests, cloud switching records, contract terms, trade secrets, and GDPR boundaries. - 12 items ### [Data Act Cloud Switching Contract Terms FAQ](/artifacts/eu/data-act/faq/cloud-switching-contract-terms.md) FAQ on EU Data Act cloud switching contract terms: Article 25 clauses, assistance, notice, transition, charges, export, termination, interoperability, and records. - 12 items ### [Data Act Cloud Switching Fees And Deadlines FAQ](/artifacts/eu/data-act/faq/cloud-switching-fees-and-deadlines.md) FAQ on EU Data Act cloud switching charges, 2027 fee removal, notice periods, transition windows, data retrieval, contract terms, and evidence records. - 12 items ### [Data Act Complaints and Dispute Settlement FAQ](/artifacts/eu/data-act/faq/complaints-and-dispute-settlement.md) FAQ on EU Data Act complaints, competent authorities, dispute settlement bodies, B2B data-sharing disputes, B2G requests, cloud switching disputes, and evidence records. - 12 items ### [Data Act Exportable Data and Metadata FAQ](/artifacts/eu/data-act/faq/exportable-data-and-metadata.md) FAQ explaining which product, related service, metadata, and cloud switching data must be exportable under the EU Data Act, and which data can be excluded. - 12 items ### [Data Act FAQ for Aftermarket Repair and Mobility Services](/artifacts/eu/data-act/faq/aftermarket-repair-and-mobility-services.md) FAQ on EU Data Act vehicle-data access for repairers, independent service providers, fleets, insurers, and mobility services. - 12 items ### [Data Act Functional Equivalence FAQ](/artifacts/eu/data-act/faq/functional-equivalence.md) FAQ on Data Act functional equivalence for cloud switching: IaaS scope, customer outcomes, export support, interoperability duties, limits, and evidence. - 12 items ### [Data Act Indirect Access Request Flows FAQ](/artifacts/eu/data-act/faq/indirect-access-request-flows.md) FAQ for Data Act teams handling user and third-party data requests when direct connected-product access is unavailable, incomplete, or limited. - 12 items ### [Data Act International Government Access FAQ](/artifacts/eu/data-act/faq/international-government-access.md) FAQ on EU Data Act safeguards for non-EU government access to non-personal data held in the Union by data processing service providers. - 12 items ### [Data Act Interoperability Standards FAQ](/artifacts/eu/data-act/faq/interoperability-standards.md) FAQ on EU Data Act interoperability standards for data spaces, cloud switching, smart contracts, harmonised standards, common specifications, and M/614. - 12 items ### [Data Act Model Contractual Terms FAQ](/artifacts/eu/data-act/faq/model-contractual-terms.md) FAQ on the EU Data Act non-binding model contractual terms for data access and use, cloud switching clauses, B2B use, unfair terms, and evidence. - 12 items ### [Data Act Public Emergency Requests FAQ](/artifacts/eu/data-act/faq/public-emergency-requests.md) FAQ on EU Data Act public emergency requests: exceptional need, request content, timing, data holder response, compensation, confidentiality, and records. - 12 items ### [Data Act SME Exceptions and Startups FAQ](/artifacts/eu/data-act/faq/sme-exceptions-and-startups.md) FAQ on where the EU Data Act gives micro, small, medium-sized, startup, and SME actors narrower treatment for access duties, compensation, and B2B terms. - 12 items ### [Data Act Trade Secret Technical Protection Measures FAQ](/artifacts/eu/data-act/faq/trade-secret-technical-protection-measures.md) FAQ on how EU Data Act data holders can protect trade secrets with confidentiality safeguards, technical measures, limited withholding, suspension, refusal, and evidence. - 12 items ### [EU Data Act and Common European Data Spaces FAQ](/artifacts/eu/data-act/faq/data-act-and-common-european-data-spaces.md) FAQ on how EU Data Act interoperability duties, Data Governance Act rules, and sector data-space governance fit together without treating participation as a general obligation. - 12 items ### [EU Data Act Application Dates And Transition FAQ](/artifacts/eu/data-act/faq/application-dates-and-transition.md) FAQ on when the EU Data Act applies, which obligations are delayed, and what product, contract, cloud, and evidence records teams should maintain. - 12 items ### [EU Data Act Article 36 Smart Contract Controls FAQ](/artifacts/eu/data-act/faq/article-36-smart-contract-controls.md) FAQ explaining when EU Data Act Article 36 applies to smart contracts for data-sharing agreements and what controls, conformity evidence, and limits it requires. - 12 items ### [EU Data Act B2B Data Sharing Compensation FAQ](/artifacts/eu/data-act/faq/compensation-for-b2b-data-sharing.md) FAQ on when Data Act data holders may charge B2B data recipients, what reasonable compensation can include, SME limits, unfair terms, disputes, and trade secret safeguards. - 12 items ### [EU Data Act B2G Compensation and Costs FAQ](/artifacts/eu/data-act/faq/b2g-compensation-and-costs.md) FAQ on when Data Act B2G exceptional-need requests are free, when fair compensation may be claimed, which costs can be included, and what records to keep. - 12 items ### [EU Data Act B2G Exceptional Need FAQ](/artifacts/eu/data-act/faq/b2g-exceptional-need.md) When public-sector bodies can request business-held data under the EU Data Act, what a valid request must contain, and how data holders handle limits, trade secrets, compensation, and evidence. - 13 items ### [EU Data Act Cloud Switching Procurement FAQ](/artifacts/eu/data-act/faq/cloud-switching-procurement-checklist.md) Procurement checklist FAQ for EU Data Act cloud switching: contract terms, exit support, exportable data, switching charges, interoperability, termination, and supplier evidence. - 12 items ### [EU Data Act Connected Product Scope FAQ](/artifacts/eu/data-act/faq/scope-connected-products.md) FAQ explaining when connected products, related services, generated data, EU market placement, and SME exceptions fall within EU Data Act scope. - 12 items ### [EU Data Act data spaces interoperability FAQ](/artifacts/eu/data-act/faq/data-spaces-interoperability.md) FAQ explaining Article 33 Data Act interoperability requirements for data-space participants, common European data spaces, standards, APIs, metadata, and architecture evidence. - 12 items ### [EU Data Act Direct Access by Design FAQ](/artifacts/eu/data-act/faq/direct-access-by-design.md) FAQ for product and legal teams designing user access to connected-product and related-service data under the EU Data Act. - 12 items ### [EU Data Act Enforcement And Competent Authorities FAQ](/artifacts/eu/data-act/faq/enforcement-and-competent-authorities.md) FAQ on who enforces the EU Data Act, how complaints work, how Member States set penalties, when dispute settlement can be used, and when GDPR authorities remain responsible. - 12 items ### [EU Data Act Non-Emergency Public-Sector Requests FAQ](/artifacts/eu/data-act/faq/non-emergency-public-sector-requests.md) FAQ on EU Data Act requests where a public body claims exceptional need outside a public emergency, including scope, request contents, limits, compensation, confidentiality, and evidence. - 12 items ### [EU Data Act Non-Personal Data and Mixed Datasets FAQ](/artifacts/eu/data-act/faq/non-personal-data-and-mixed-datasets.md) FAQ on how the EU Data Act treats non-personal data, mixed datasets, GDPR precedence, user and third-party access, trade-secret limits, and evidence records. - 12 items ### [EU Data Act Pre-Contractual Information FAQ](/artifacts/eu/data-act/faq/pre-contractual-information.md) FAQ on EU Data Act Article 3 pre-contract information for connected products and related services, including data categories, access methods, data holder identity, third-party sharing, and GDPR boundaries. - 12 items ### [EU Data Act Product Data vs Related Service Data FAQ](/artifacts/eu/data-act/faq/product-data-and-service-data.md) FAQ explaining how the EU Data Act separates connected product data, related service data, readily available raw and pre-processed data, metadata, and inferred or derived outputs. - 12 items ### [EU Data Act Readily Available Data FAQ](/artifacts/eu/data-act/faq/readily-available-data.md) FAQ on what counts as readily available data under the EU Data Act, including product data, related service data, metadata, inferred data, and access mechanics. - 12 items ### [EU Data Act Related Services FAQ](/artifacts/eu/data-act/faq/related-services.md) FAQ explaining when software is a Data Act related service, how it links to connected products, which product and service data are in scope, and what exclusions apply. - 12 items ### [EU Data Act Smart Contracts for Data Sharing FAQ](/artifacts/eu/data-act/faq/smart-contracts-for-data-sharing.md) Answers on Article 36 Data Act smart-contract requirements for data sharing: scope, robustness, access control, termination, archiving, conformity assessment, contract terms, and standards status. - 12 items ### [EU Data Act Third-Party Data Sharing FAQ](/artifacts/eu/data-act/faq/third-party-data-sharing.md) FAQ on user-directed third-party data sharing under the EU Data Act, covering data holder duties, recipient limits, trade secrets, security, GDPR, and gatekeepers. - 12 items ### [EU Data Act Trade Secret Safeguards FAQ](/artifacts/eu/data-act/faq/trade-secrets-safeguards.md) FAQ on protecting trade secrets when handling EU Data Act user and third-party data access requests, including safeguards, withholding, suspension, refusal, notices, and records. - 12 items ### [EU Data Act Unfair Contractual Terms FAQ](/artifacts/eu/data-act/faq/unfair-contractual-terms.md) FAQ on Article 13 of the EU Data Act: B2B unfair contract terms, unilateral take-it-or-leave-it clauses, always-unfair terms, presumed-unfair terms, SMEs, model terms, and review evidence. - 12 items ### [EU Data Act Users, Data Holders, and Recipients FAQ](/artifacts/eu/data-act/faq/users-data-holders-and-recipients.md) FAQ explaining Data Act users, data holders, data recipients, connected products, related services, user access, third-party limits, and GDPR boundaries. - 12 items ### [EU Data Act Vehicle Data Guidance FAQ](/artifacts/eu/data-act/faq/vehicle-data-guidance.md) FAQ on EU Data Act vehicle data guidance for connected vehicles, aftermarket repair, mobility services, third-party access, trade secrets, security, and GDPR boundaries. - 12 items Browse all indexed questions: [/artifacts/eu/data-act/faq/items](/artifacts/eu/data-act/faq/items.md) ## All FAQ items *Page 6 of 24. Showing 20 of 469 items.* ### [What data and digital assets matter for the assessment under the Data Act?](/artifacts/eu/data-act/faq/functional-equivalence.md#what-data-and-digital-assets-matter-for-the-assessment-under-the-data-act) *Module: [Data Act Functional Equivalence](/artifacts/eu/data-act/faq/functional-equivalence.md)* The switching file should distinguish exportable data from digital assets and from material that the Data Act does not require the provider to disclose or transfer. Exportable data covers input and output data, including metadata generated or co-generated by the customer's use of the service, but excludes provider or third-party intellectual property and trade secrets. - List exportable data separately from provider-owned assets, third-party assets, trade secrets, and security-sensitive material. - List digital assets needed for the new environment, including configuration, access-control, virtualisation, and workload packaging items where applicable. - For each exclusion, record why the exclusion does not impede or delay the switching process. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 2(38) and Article 25 ground the exportable-data category and the contract specification of portable data and digital assets. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - FAQ 53 explains the difference between exportable data and digital assets for switching data processing services. ### [How do interoperability duties connect to functional equivalence under the Data Act?](/artifacts/eu/data-act/faq/functional-equivalence.md#how-do-interoperability-duties-connect-to-functional-equivalence-under-the-data-act) *Module: [Data Act Functional Equivalence](/artifacts/eu/data-act/faq/functional-equivalence.md)* Interoperability is the technical and organisational foundation that makes switching realistic. For PaaS and SaaS, the Data Act focuses on open interfaces, sufficient service information for software communication, compatibility with published common specifications or harmonised standards, and structured, commonly used, machine-readable exports where standards have not yet been published. - Track whether relevant common specifications or harmonised standards have been published for the service type. - For non-IaaS services, align interfaces, export formats, and register entries with the applicable standards timeline. - For IaaS, use interoperability work to support comparable outcomes while preserving the limits on source-provider responsibility. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 30 and 35 connect switching, open interfaces, export formats, common specifications, harmonised standards, and functional equivalence. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer states that interoperability between data processing services is essential for customers to benefit from easier switching. ### [What limits should contracts and help-center copy state clearly under the Data Act?](/artifacts/eu/data-act/faq/functional-equivalence.md#what-limits-should-contracts-and-help-center-copy-state-clearly-under-the-data-act) *Module: [Data Act Functional Equivalence](/artifacts/eu/data-act/faq/functional-equivalence.md)* Functional-equivalence wording should not imply unlimited responsibility. The Data Act limits the source provider's technical obligations to the services, contracts, and commercial practices it provides. It also says providers are not required to develop new technologies or services, disclose or transfer protected intellectual property or trade secrets, or compromise security and service integrity. - State that functional equivalence is limited to the source provider's own service environment and reasonable measures within its power. - Do not promise transfer of protected intellectual property, trade secrets, or security-sensitive assets. - Separate mandatory switching support from separately requested migration, re-architecture, optimisation, or managed transition work. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 24, 29, and 30 limit source-provider responsibility, protect IP, trade secrets, security, and distinguish additional services from switching obligations. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - FAQ 58b explains that source providers are not responsible for rebuilding the service in the destination ecosystem. ### [Which records should teams keep to justify an EU Data Act functional-equivalence decision later?](/artifacts/eu/data-act/faq/functional-equivalence.md#which-records-should-teams-keep-to-justify-an-eu-data-act-functional-equivalence-decision-later) *Module: [Data Act Functional Equivalence](/artifacts/eu/data-act/faq/functional-equivalence.md)* For functional equivalence, the Data Act record should identify the source clause, Commission guidance, actor role, dataset, request or contract trigger, and the owner who approved the interpretation. - Map the decision to the Data Act provision or Commission guidance relied on for the switching assessment. - Record the service type, shared features, exportable data, digital assets, and any excluded items that affect the outcome. - Store the approval trail, implementation artifact, and review trigger in one evidence file so the decision can be revisited if the service or standards change. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Chapter VI switching duties, Article 2 definitions, Article 23 obstacle removal, Article 25 contract terms, Article 26 information duties, Article 29 switching charges, Article 30 technical switching duties, and Article 35 interoperability. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission fact page explaining cloud switching, data egress, PaaS and SaaS open interfaces, IaaS functional equivalence, and interoperability context. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ context for service scope, exportable data, digital assets, switching charges, notice and transition periods, interoperability repository, and the limits of source-provider responsibility. ### [Who should own EU Data Act functional-equivalence work and the related follow-up actions?](/artifacts/eu/data-act/faq/functional-equivalence.md#who-should-own-eu-data-act-functional-equivalence-work-and-the-related-follow-up-actions) *Module: [Data Act Functional Equivalence](/artifacts/eu/data-act/faq/functional-equivalence.md)* For functional equivalence, the Data Act workflow should name the legal, product, procurement, cloud, support, or security owner who can change the affected process. - Assign one accountable owner for the switching decision, and name the operational owner who can execute the export, support, or migration steps. - Record the teams consulted on legal scope, technical feasibility, security, and customer communications instead of spreading responsibility across everyone. - Set a review trigger for service changes, new standards, or new destination-provider capabilities so the decision can be refreshed when needed. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Chapter VI switching duties, Article 2 definitions, Article 23 obstacle removal, Article 25 contract terms, Article 26 information duties, Article 29 switching charges, Article 30 technical switching duties, and Article 35 interoperability. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission fact page explaining cloud switching, data egress, PaaS and SaaS open interfaces, IaaS functional equivalence, and interoperability context. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ context for service scope, exportable data, digital assets, switching charges, notice and transition periods, interoperability repository, and the limits of source-provider responsibility. ### [How does the EU Data Act distinguish functional equivalence for IaaS from a plain export for SaaS?](/artifacts/eu/data-act/faq/functional-equivalence.md#how-does-the-eu-data-act-distinguish-functional-equivalence-for-iaas-from-a-plain-export-for-saas) *Module: [Data Act Functional Equivalence](/artifacts/eu/data-act/faq/functional-equivalence.md)* Under the Data Act, the functional-equivalence duty centres on IaaS, where the source provider must take reasonable measures so the customer can re-establish a minimum level of functionality on a same-type destination service. For PaaS and SaaS the duty is lighter: export the exportable data and digital assets in a structured, commonly used, machine-readable format. - Apply the functional-equivalence duty to IaaS and the structured-export duty to PaaS and SaaS. - Classify the service type before setting customer expectations about the switching outcome. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Chapter VI switching duties, Article 2 definitions, Article 23 obstacle removal, Article 25 contract terms, Article 26 information duties, Article 29 switching charges, Article 30 technical switching duties, and Article 35 interoperability. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission fact page explaining cloud switching, data egress, PaaS and SaaS open interfaces, IaaS functional equivalence, and interoperability context. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ context for service scope, exportable data, digital assets, switching charges, notice and transition periods, interoperability repository, and the limits of source-provider responsibility. ### [What reasonable measures must a source provider take to facilitate EU Data Act functional equivalence?](/artifacts/eu/data-act/faq/functional-equivalence.md#what-reasonable-measures-must-a-source-provider-take-to-facilitate-eu-data-act-functional-equivalence) *Module: [Data Act Functional Equivalence](/artifacts/eu/data-act/faq/functional-equivalence.md)* Under the Data Act, the source provider must offer reasonable assistance, exercise due care to maintain business continuity, provide capabilities and information to support the switch, and keep a high level of security during transfer and retrieval. The duty is about enabling the customer to reach a comparable outcome, not rebuilding the destination environment. - Provide assistance, continuity care, and security during the transfer and retrieval window. - Scope the duty to the provider's own service and price anything beyond it as an additional service. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Chapter VI switching duties, Article 2 definitions, Article 23 obstacle removal, Article 25 contract terms, Article 26 information duties, Article 29 switching charges, Article 30 technical switching duties, and Article 35 interoperability. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission fact page explaining cloud switching, data egress, PaaS and SaaS open interfaces, IaaS functional equivalence, and interoperability context. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ context for service scope, exportable data, digital assets, switching charges, notice and transition periods, interoperability repository, and the limits of source-provider responsibility. ### [When can a source provider decline a functional-equivalence request under the EU Data Act limits?](/artifacts/eu/data-act/faq/functional-equivalence.md#when-can-a-source-provider-decline-a-functional-equivalence-request-under-the-eu-data-act-limits) *Module: [Data Act Functional Equivalence](/artifacts/eu/data-act/faq/functional-equivalence.md)* Under the Data Act, a source provider is not required to develop new technologies or services, disclose or transfer protected intellectual property or third-party trade secrets, or compromise the security and integrity of its service to deliver functional equivalence. These are genuine limits rather than excuses to avoid the switching duty. - Decline only where a request would require new development, IP or trade-secret transfer, or a security compromise. - Still deliver the export, assistance, and continuity duties for the parts of the switch not affected by the limit. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding source for Chapter VI switching duties, Article 2 definitions, Article 23 obstacle removal, Article 25 contract terms, Article 26 information duties, Article 29 switching charges, Article 30 technical switching duties, and Article 35 interoperability. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission fact page explaining cloud switching, data egress, PaaS and SaaS open interfaces, IaaS functional equivalence, and interoperability context. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ context for service scope, exportable data, digital assets, switching charges, notice and transition periods, interoperability repository, and the limits of source-provider responsibility. ### [When is an indirect access request needed under the Data Act for Indirect Access Request Flows implementation evidence?](/artifacts/eu/data-act/faq/indirect-access-request-flows.md#when-is-an-indirect-access-request-needed-under-the-data-act-for-indirect-access-request-flows-implementation-evidence) *Module: [Data Act Indirect Access Request Flows](/artifacts/eu/data-act/faq/indirect-access-request-flows.md)* The Data Act context is the starting point for this answer. An indirect access request is needed when the user cannot get the relevant connected-product or related-service data directly from the product, app, service interface, device storage, or connected server path. Article 4 then shifts the operational route to the data holder: the holder must make readily available data and the metadata needed to interpret and use it accessible to the user. - Trigger the workflow when direct access is missing, broken, incomplete, or not technically available for the requested data. - Confirm that the data is readily available to the data holder and is product data or related-service data, not inferred or derived analysis outside Chapter II scope. - Use a simple electronic request route where technically feasible instead of asking users to negotiate a bespoke manual process. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 4(1) is the binding rule for data holder access when data cannot be directly accessed by the user. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer describes Chapter II scope as raw and pre-processed connected-product and related-service data that is readily available to the data holder. ### [What should the user request form ask for under the Data Act for Indirect Access Request Flows implementation evidence?](/artifacts/eu/data-act/faq/indirect-access-request-flows.md#what-should-the-user-request-form-ask-for-under-the-data-act-for-indirect-access-request-flows-implementation-evidence) *Module: [Data Act Indirect Access Request Flows](/artifacts/eu/data-act/faq/indirect-access-request-flows.md)* The Data Act context is the starting point for this answer. The form should collect enough information to identify the requester as a user, identify the connected product or related service, describe the requested data, and choose the delivery route. Article 4 limits verification: the data holder may not require more information than necessary to verify that the person qualifies as a user. - Ask for entitlement evidence that fits the product, such as ownership, rental, lease, contract, account, or related-service relationship. - Avoid broad identity or business-information demands that are not needed to verify the user or execute the request. - Keep requester-access logs only as long and as broadly as needed for execution, security, and maintenance of the data infrastructure. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 4(5) limits verification information and access-log retention for user access requests. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ 30 explains practical user verification and refers to simple request mechanisms and suitable product-specific identification methods. ### [How should teams handle a user request to share data with a third party under the Data Act?](/artifacts/eu/data-act/faq/indirect-access-request-flows.md#how-should-teams-handle-a-user-request-to-share-data-with-a-third-party-under-the-data-act) *Module: [Data Act Indirect Access Request Flows](/artifacts/eu/data-act/faq/indirect-access-request-flows.md)* The Data Act context is the starting point for this answer. Article 5 gives the user a separate right to ask the data holder, or have a party acting on the user's behalf ask, for readily available data and necessary metadata to be made available to a third party. This right is not limited to cases where the user lacks direct access; the Commission FAQ states that third-party transfer can still be requested even where direct access has been granted. - Do not reject a third-party request only because the user can already access the data directly. - Screen out Digital Markets Act gatekeepers as Article 5 third parties. - Do not treat an entity or person outside the Union as someone the data holder is obliged to serve under Chapter II. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Article 5(1) creates the user right to have readily available data made available to a third party. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQs 31, 36, and 37 clarify direct access, gatekeeper exclusion, and non-EU recipient limits for Chapter II sharing. ### [What should the data holder verify before delivering data under the Data Act?](/artifacts/eu/data-act/faq/indirect-access-request-flows.md#what-should-the-data-holder-verify-before-delivering-data-under-the-data-act) *Module: [Data Act Indirect Access Request Flows](/artifacts/eu/data-act/faq/indirect-access-request-flows.md)* The data holder should verify the requester role, the product or related-service relationship, whether the requested data is readily available, and whether the delivery would include personal data, trade secrets, or data subject to security restrictions. Verification should support the Data Act request; it should not become a barrier that makes the user's rights unduly difficult to exercise. - Verify user or third-party qualification with the minimum information needed for the request. - Classify requested data as readily available raw or pre-processed data plus necessary metadata, or document why it is outside that category. - Route mixed personal and non-personal data through a privacy review before delivery, anonymisation, narrowing, or refusal. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 4(5), 4(12), 5(4), and 5(7) support minimal verification and personal-data legal-basis checks. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQs 25a and 25b explain GDPR legal-basis and controller-accountability considerations for Data Act requests. ### [When may the data holder limit, withhold, suspend, or refuse access under the Data Act?](/artifacts/eu/data-act/faq/indirect-access-request-flows.md#when-may-the-data-holder-limit-withhold-suspend-or-refuse-access-under-the-data-act) *Module: [Data Act Indirect Access Request Flows](/artifacts/eu/data-act/faq/indirect-access-request-flows.md)* A data holder should distinguish ordinary scoping from formal limits. Data can be outside the request because it is not readily available, is inferred or derived, or is not product or related-service data. By contrast, security and trade-secret limits are Data Act safeguards that require specific handling, written reasons, and, in several cases, competent-authority notification. - Use data-scope exclusions for inferred, derived, unavailable, or out-of-scope data rather than calling every exclusion a refusal. - For security restrictions, record the legal security requirement, the serious adverse effect, the restriction chosen, and the authority notification. - For trade-secret withholding, suspension, or refusal, give written reasons without undue delay and notify the competent authority where Article 4 or Article 5 requires it. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 4(2), 4(7), 4(8), 5(10), and 5(11) define security restrictions and trade-secret withholding, suspension, and refusal mechanics. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer summarizes trade-secret and security safeguards and challenge routes for users. ### [How should trade secrets be protected without turning protection into a blanket denial under the Data Act?](/artifacts/eu/data-act/faq/indirect-access-request-flows.md#how-should-trade-secrets-be-protected-without-turning-protection-into-a-blanket-denial-under-the-data-act) *Module: [Data Act Indirect Access Request Flows](/artifacts/eu/data-act/faq/indirect-access-request-flows.md)* The Data Act does not allow the data holder to deny access merely because requested data includes trade secrets. The holder or trade-secret holder should identify protected data, including in relevant metadata, and agree proportionate technical and organisational measures with the user or third party before disclosure. - Mark the specific data or metadata treated as trade secrets before disclosure discussions. - Match protection measures to the disclosure purpose and recipient rather than using generic NDA language as the only safeguard. - Keep the non-secret or adequately protected part of the response moving where the Data Act allows partial delivery. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 4(6)-(8) and 5(9)-(11) require trade-secret identification, proportionate safeguards, written substantiation, and authority notification. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer confirms that trade-secret protection should not undermine the Data Act goal of making more data available. ### [What records should be kept for indirect access requests under the Data Act?](/artifacts/eu/data-act/faq/indirect-access-request-flows.md#what-records-should-be-kept-for-indirect-access-requests-under-the-data-act) *Module: [Data Act Indirect Access Request Flows](/artifacts/eu/data-act/faq/indirect-access-request-flows.md)* The Data Act context is the starting point for this answer. Keep a request record that proves the route was lawful and operationally complete without collecting more access-log information than Article 4 or Article 5 permits. The record should show the requester, verification basis, product or service, data categories, scope decision, personal-data assessment, trade-secret or security safeguard, delivery method, and outcome. - Retain request and access records only to the extent necessary for request execution, infrastructure security, maintenance, dispute handling, and legal accountability. - Use decision codes that distinguish delivered, partially delivered, outside scope, personal-data blocked, security restricted, trade-secret withheld or suspended, and trade-secret refused. - Record the challenge route given to the user or third party when access is refused, withheld, or suspended. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 4(5), 5(4), 4(9), and 5(12) support limited request-record retention and redress records for challenged decisions. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer identifies competent-authority, court, and dispute-settlement challenge routes for refused, withheld, or suspended sharing. ### [What is the shortest defensible workflow from intake to closure under the Data Act?](/artifacts/eu/data-act/faq/indirect-access-request-flows.md#what-is-the-shortest-defensible-workflow-from-intake-to-closure-under-the-data-act) *Module: [Data Act Indirect Access Request Flows](/artifacts/eu/data-act/faq/indirect-access-request-flows.md)* The Data Act context is the starting point for this answer. A compact workflow is: receive the electronic request, verify only what is necessary, identify the connected product or related service, classify the requested data, run personal-data, security, and trade-secret checks, choose user delivery or third-party delivery, communicate the outcome, and close the record with evidence of delivery or written reasons for any limit. - Publish one intake route that product, support, privacy, legal, and data operations teams all use. - Separate user self-access, user-requested third-party sharing, and rejected or restricted requests in the workflow. - Review the workflow whenever the product interface, account model, related service, data map, or delivery API changes. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Articles 4, 5, and 6 together support the intake, verification, delivery, safeguard, and third-party-use steps in an indirect access workflow. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQs explain legitimate-user verification, third-party transfers, safety and security restrictions, and dispute settlement. ### [What should teams keep on file to show the Data Act source basis for indirect access decisions?](/artifacts/eu/data-act/faq/indirect-access-request-flows.md#what-should-teams-keep-on-file-to-show-the-data-act-source-basis-for-indirect-access-decisions) *Module: [Data Act Indirect Access Request Flows](/artifacts/eu/data-act/faq/indirect-access-request-flows.md)* For indirect access request flows, keep the specific Article 4 or Article 5 citation, the official source URL, and the internal decision note together with the request record. That makes it easier to show which Data Act rule supported the action. - Store the source URL, article reference, decision date, and approver in the same record as the request. - Attach the affected workflow or product area so later reviewers can see where the decision was implemented. - Keep the evidence artifact, review trigger, and follow-up date together so the decision can be rechecked when the process changes. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding Data Act text for Article 4 indirect user access, Article 5 third-party sharing, Article 6 third-party use limits, verification limits, security restrictions, trade-secret safeguards, and redress routes. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ support for user verification, direct access versus third-party sharing, non-EU recipient limits, safety and security restrictions, GDPR legal-basis checks, and dispute settlement. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer support for Chapter II scope, readily available raw and pre-processed data, third-party sharing, trade-secret and security safeguards, and challenge routes. ### [Who should own Data Act indirect access request handling inside the team?](/artifacts/eu/data-act/faq/indirect-access-request-flows.md#who-should-own-data-act-indirect-access-request-handling-inside-the-team) *Module: [Data Act Indirect Access Request Flows](/artifacts/eu/data-act/faq/indirect-access-request-flows.md)* For Data Act indirect access request flows, the owner should be the team member who can coordinate product, legal, privacy, and support actions for the specific request path. The legal rule may sit with one team, but the operational response usually needs cross-functional ownership. - Assign a single accountable owner for the intake path, the third-party path, and the refusal or restriction path. - Record the affected workflow and the team that can approve product or service changes. - Keep the review trigger visible so ownership changes when the product, interface, or legal analysis changes. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding Data Act text for Article 4 indirect user access, Article 5 third-party sharing, Article 6 third-party use limits, verification limits, security restrictions, trade-secret safeguards, and redress routes. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ support for user verification, direct access versus third-party sharing, non-EU recipient limits, safety and security restrictions, GDPR legal-basis checks, and dispute settlement. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer support for Chapter II scope, readily available raw and pre-processed data, third-party sharing, trade-secret and security safeguards, and challenge routes. ### [Which supporting documents make the EU Data Act indirect access answer usable later for reviewers?](/artifacts/eu/data-act/faq/indirect-access-request-flows.md#which-supporting-documents-make-the-eu-data-act-indirect-access-answer-usable-later-for-reviewers) *Module: [Data Act Indirect Access Request Flows](/artifacts/eu/data-act/faq/indirect-access-request-flows.md)* For indirect access request flows, the most useful supporting material is whatever lets a later reviewer reconstruct the decision without guessing. That usually means the Data Act citation, request logs, product or service data map, the verification method, and any security or trade-secret notes. - Keep source URLs, request logs, data inventories, contract clauses, technical controls, notices, and approval records together. - Include the owner, affected workflow, and the decision rationale in the same evidence set. - Store a review trigger so the answer can be updated when the product design or request path changes. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding Data Act text for Article 4 indirect user access, Article 5 third-party sharing, Article 6 third-party use limits, verification limits, security restrictions, trade-secret safeguards, and redress routes. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ support for user verification, direct access versus third-party sharing, non-EU recipient limits, safety and security restrictions, GDPR legal-basis checks, and dispute settlement. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer support for Chapter II scope, readily available raw and pre-processed data, third-party sharing, trade-secret and security safeguards, and challenge routes. ### [When should the Data Act indirect access FAQ answer be reviewed again?](/artifacts/eu/data-act/faq/indirect-access-request-flows.md#when-should-the-data-act-indirect-access-faq-answer-be-reviewed-again) *Module: [Data Act Indirect Access Request Flows](/artifacts/eu/data-act/faq/indirect-access-request-flows.md)* For Data Act indirect access request flows, the answer should be reviewed when the product, service model, dataset, customer role, or contract wording changes, or when the team changes how requests are received or routed. - Review after changes to the product interface, account model, related service, data map, or delivery API. - Review after a new legal interpretation, complaint, or authority decision affects the request path. - Review after the ownership model or approval process changes so the named owner stays current. Sources for this answer: - [Regulation (EU) 2023/2854 (Data Act)](https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng?ref=sorena.io) - Binding Data Act text for Article 4 indirect user access, Article 5 third-party sharing, Article 6 third-party use limits, verification limits, security restrictions, trade-secret safeguards, and redress routes. - [European Commission - Data Act FAQs v1.4](https://ec.europa.eu/newsroom/dae/redirection/document/108144?ref=sorena.io) - Commission FAQ support for user verification, direct access versus third-party sharing, non-EU recipient limits, safety and security restrictions, GDPR legal-basis checks, and dispute settlement. - [European Commission - Data Act explained](https://digital-strategy.ec.europa.eu/en/factpages/data-act-explained?ref=sorena.io) - Commission explainer support for Chapter II scope, readily available raw and pre-processed data, third-party sharing, trade-secret and security safeguards, and challenge routes. ## FAQ Pagination - Canonical index (page 1): [/artifacts/eu/data-act/faq/items](/artifacts/eu/data-act/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 6 of 24 Pages: [1](/artifacts/eu/data-act/faq/items.md) | [2](/artifacts/eu/data-act/faq/items/page/2.md) | [3](/artifacts/eu/data-act/faq/items/page/3.md) | [4](/artifacts/eu/data-act/faq/items/page/4.md) | [5](/artifacts/eu/data-act/faq/items/page/5.md) | [6](/artifacts/eu/data-act/faq/items/page/6.md) | [7](/artifacts/eu/data-act/faq/items/page/7.md) | [8](/artifacts/eu/data-act/faq/items/page/8.md) | [9](/artifacts/eu/data-act/faq/items/page/9.md) | [10](/artifacts/eu/data-act/faq/items/page/10.md) | [11](/artifacts/eu/data-act/faq/items/page/11.md) | [12](/artifacts/eu/data-act/faq/items/page/12.md) | [13](/artifacts/eu/data-act/faq/items/page/13.md) | [14](/artifacts/eu/data-act/faq/items/page/14.md) | [15](/artifacts/eu/data-act/faq/items/page/15.md) | [16](/artifacts/eu/data-act/faq/items/page/16.md) | [17](/artifacts/eu/data-act/faq/items/page/17.md) | [18](/artifacts/eu/data-act/faq/items/page/18.md) | [19](/artifacts/eu/data-act/faq/items/page/19.md) | [20](/artifacts/eu/data-act/faq/items/page/20.md) | [21](/artifacts/eu/data-act/faq/items/page/21.md) | [22](/artifacts/eu/data-act/faq/items/page/22.md) | [23](/artifacts/eu/data-act/faq/items/page/23.md) | [24](/artifacts/eu/data-act/faq/items/page/24.md) [Previous page](/artifacts/eu/data-act/faq/items/page/5.md) | [Next page](/artifacts/eu/data-act/faq/items/page/7.md) *Recommended next step* *Placement: before sources* ## Turn a Data Act FAQ answer into a scoped review Review one product, dataset, cloud contract, public-sector request, or smart-contract deployment against the cited Data Act source and keep the scope, role, evidence, and unresolved questions together. - [Open Research Copilot](/solutions/research-copilot.md): Check Data Act scope, GDPR boundaries, cloud switching, and contract questions with cited source outputs. - [Talk through Data Act implementation](/contact.md): Review one connected product, data-sharing contract, cloud switch, or public-sector request before committing to an implementation path. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/data-act/faq/items/page/6